b'               \xc2\xa0\n\n               \xc2\xa0\n\n               \xc2\xa0     U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n               \xc2\xa0     OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n\n\n\n\n                     Fiscal Year 2013\n                     Federal Information Security\n                     Management Act Report\n\n                     Status of EPA\xe2\x80\x99s Computer\n                     Security Program\n\n                     Report No. 14-P-0033               November 26, 2013\n\n\n\n\nScan this mobile\ncode to learn more\nabout the EPA OIG.\n\x0cReport Contributors:                                Rudolph M. Brevard\n                                                    Cheryl Reid\n                                                    Michael Goode\n                                                    Vincent Campbell\n                                                    Sabrena Stewart\n                                                    Neven Soliman\n                                                    Gina Ross\n                                                    Nii-Lantei Lamptey\n                                                    Iantha Maness\n\n\n\n\nAbbreviations\n\nBIA            Business Impact Analysis\nEPA            U.S. Environmental Protection Agency\nFDCC           Federal Desktop Core Configurations\nFISMA          Federal Information Security Management Act\nGAO            U.S. Government Accountability Office\nMOU            Memorandum of Understanding\nNIST           National Institute of Standards and Technology\nOEI            Office of Environmental Information\nOIG            Office of Inspector General\nOMB            Office of Management and Budget\nPOA&M          Plan of Action & Milestones\nSP             Special Publication\nUS-CERT        U.S. Computer Emergency Readiness Team\nUSGCB          U.S. Government Configuration Baseline\n\n\n\nHotline                                        Suggestions for Audits or Evaluations\nTo report fraud, waste or abuse, contact       To make suggestions for audits or evaluations,\nus through one of the following methods:       contact us through one of the following methods:\n\nemail:    OIG_Hotline@epa.gov                  email:    OIG_WEBCOMMENTS@epa.gov\nphone:    1-888-546-8740                       phone:    1-202-566-2391\nfax:      1-202-566-2599                       fax:      1-202-566-2599\nonline:   http://www.epa.gov/oig/hotline.htm   online:   http://www.epa.gov/oig/contact.html#Full_Info\n\nwrite:    EPA Inspector General Hotline        write:    EPA Inspector General\n          1200 Pennsylvania Avenue, NW                   1200 Pennsylvania Avenue, NW\n          Mailcode 2431T                                 Mailcode 2410T\n          Washington, DC 20460                           Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency                                               14-P-0033\n                                                                                                    November 26, 2013\n                        Office of Inspector General\n\n\n                        At a Glance\nWhy We Did This Review              Fiscal Year 2013 Federal Information Security\nThe U.S. Environmental              Management Act Report: Status of EPA\xe2\x80\x99s\nProtection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s)         Computer Security Program\nOffice of Inspector General\n(OIG) conducted this review to\nassess the EPA\xe2\x80\x99s compliance          What We Found\nwith the Federal Information\nSecurity Management Act             The EPA has established an agencywide information         The EPA\xe2\x80\x99s network\n(FISMA). FISMA requires             security program that assesses the security state of      and data could be\nInspectors General to prepare       information systems that is consistent with FISMA         exploited without\nan annual evaluation of their       requirements and applicable policy and guidelines for     processes to evaluate\n                                    the following areas:                                      risks and timely\nagencies\xe2\x80\x99 information security\n                                                                                              remediate\nprograms and practices.                                                                       vulnerabilities. Data\nThe Department of Homeland              \xef\x82\xb7   Continuous Monitoring Management\n                                                                                              processed by EPA\nSecurity issued reporting               \xef\x82\xb7   Identity and Access Management                    contractors could be\nguidelines requesting                   \xef\x82\xb7   Incident Response and Reporting                   at risk because\ninformation on 11 information           \xef\x82\xb7   Security Training                                 adequate controls may\nsystem security practices within        \xef\x82\xb7   Plan of Action and Milestones                     not be in place.\nfederal agencies.                       \xef\x82\xb7   Remote Access Management\n                                        \xef\x82\xb7   Contingency Planning\nThis report addresses the               \xef\x82\xb7   Security Capital Planning\nfollowing EPA theme:\n                                    However, the EPA should place more management emphasis on remediating\n \xef\x82\xb7 Embracing EPA as a high          significant deficiencies found within the agency\xe2\x80\x99s configuration management, risk\n   performing organization.         management and contractor systems management practices. The agency should\n                                    take steps to:\n\n                                        \xef\x82\xb7 Improve processes for timely remediation of scan result deviations.\n                                        \xef\x82\xb7 Address risks from an organizational, mission and business, and\n                                          information system perspective.\n                                        \xef\x82\xb7 Obtain sufficient assurance that security controls for contractor systems\n                                          are effectively implemented and comply with federal and organization\n                                          guidelines.\n\n                                    We briefed the agency on the results of our audit work and, where appropriate,\n                                    made adjustments to address its concerns.\n\n\nFor further information,\ncontact our public affairs office\nat (202) 566-2391.\n\nThe full report is at:\nwww.epa.gov/oig/reports/2014/\n20131126-14-P-0033.pdf\n\x0c                        UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                     WASHINGTON, D.C. 20460\n\n\n                                                                                      THE INSPECTOR GENERAL\n\n\n\n\n                                          November 26, 2013\n\nMEMORANDUM\n\nSUBJECT:      Fiscal Year 2013 Federal Information Security Management Act Report:\n              Status of EPA\xe2\x80\x99s Computer Security Program\n              Report No. 14-P-0033\n\nFROM:         Arthur A. Elkins Jr.\n\nTO:           Gina McCarthy\n              Administrator\n\nAttached is the Office of Inspector General\xe2\x80\x99s (OIG\xe2\x80\x99s) Fiscal Year 2013 Federal Information Security\nManagement Act (FISMA) Reporting Template, as prescribed by the Office of Management and Budget\n(OMB). We performed this review in accordance with generally accepted government auditing\nstandards. These standards require the team to plan and perform the review to obtain sufficient and\nappropriate evidence to provide a reasonable basis for the findings and conclusions based on the\nobjectives of the review.\n\nWe believe the evidence obtained provides a reasonable basis for our findings and conclusions, and in\nall material respects, meets the FISMA reporting requirements prescribed by OMB. In accordance with\nOMB reporting instructions, we are forwarding this report to you for submission, along with the\nagency\xe2\x80\x99s required information, to the Director of OMB.\n\nWe briefed agency officials on the results of our audit work and, where appropriate, made an adjustment\nin the Continuous Monitoring section to address their concern. The agency needs to make improvements\nin the following programs: (1) Configuration Management, (2) Risk Management, and\n(3) Contractor Systems.\n\nWe will post this report on our website at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact Richard Eyermann,\nActing Assistant Inspector General for Audit, at 202-566-0565 or eyermann.richard@epa.gov; or\nRudolph M. Brevard, Director for Information Resources Management Audits, at 202-566-0893 or\nbrevard.rudy@epa.gov.\n\x0cInspector General                                   2013\n                                                   Annual FISMA\n                                                      Report\nSection Report\n\n\n\n\n                 Environmental Protection Agency\n\x0cSection 1: Continuous Monitoring Management\n1.1      Has the organization established an enterprise-wide continuous monitoring program that assesses the security state of information systems\n         that is consistent with FISMA requirements, OMB policy, and applicable NIST guidelines? Besides the improvement opportunities that may\n         have been identified by the OIG, does the program include the following attributes?\n          Yes\n          1.1.1   Documented policies and procedures for continuous monitoring (NIST SP 800-53: CA-7).\n                  Yes\n          1.1.2   Documented strategy and plans for continuous monitoring (NIST SP 800-37 Rev 1, Appendix G).\n                  Yes\n          1.1.3   Ongoing assessments of security controls (system-specific, hybrid, and common) that have been performed based on the approved\n                  continuous monitoring plans (NIST SP 800-53, NIST 800-53A).\n                  Yes\n          1.1.4   Provides authorizing officials and other key system officials with security status reports covering updates to security plans and security\n                  assessment reports, as well as a common and consistent POA&M program that is updated with the frequency defined in the strategy\n                  and/or plans (NIST SP 800-53, 800-53A).\n                  Yes\n1.2      Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Continuous Monitoring Management Program that was\n         not noted in the questions above.\n          N/A\n\nSection 2: Configuration Management\n2.1      Has the organization established a security configuration management program that is consistent with FISMA requirements, OMB policy, and\n         applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the\n         following attributes?\n          No\n                  Comments:      The OIG issued "Briefing Report: Improvements Needed in EPA\'s Information Security Program," Report No.13-P-0257, dated\n                                 May 13, 2013, which documented that EPA did not have a process for timely remediation of configuration compliance scans; fully\n                                 implement Federal Desktop Core Configurations/U.S. Government Configuration Baseline (FDCC/USGCB) secure configuration\n                                 settings; and have a specified, documented timeline to correct deviations from baseline configurations.\n\n\n\nOIG Report - Annual 2013                                                                                                                                          Page 1 of 14\n\x0cSection 2: Configuration Management\n          2.1.1    Documented policies and procedures for configuration management.\n                   Yes\n          2.1.2    Defined standard baseline configurations.\n                   Yes\n          2.1.3    Assessments of compliance with baseline configurations.\n                   No\n          2.1.4    Process for timely, as specified in organization policy or standards, remediation of scan result deviations.\n                   No\n          2.1.5    For Windows-based components, USGCB secure configuration settings are fully implemented, and any deviations from USGCB\n                   baseline settings are fully documented.\n                   No\n          2.1.6    Documented proposed or actual changes to hardware and software configurations.\n                   Yes\n          2.1.7    Process for timely and secure installation of software patches.\n                   No\n          2.1.8    Software assessing (scanning) capabilities are fully implemented (NIST SP 800-53: RA-5, SI-2).\n                   Yes\n          2.1.9    Configuration-related vulnerabilities, including scan findings, have been remediated in a timely manner, as specified in organization\n                   policy or standards. (NIST SP 800-53: CM-4, CM-6, RA-5, SI-2)\n                   No\n          2.1.10   Patch management process is fully developed, as specified in organization policy or standards. (NIST SP 800-53: CM-3, SI-2).\n                   No\n2.2      Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Configuration Management Program that was not noted in\n         the questions above.\n          N/A\n\nSection 3: Identity and Access Management\n\n\nOIG Report - Annual 2013                                                                                                                                   Page 2 of 14\n\x0cSection 3: Identity and Access Management\n3.1      Has the organization established an identity and access management program that is consistent with FISMA requirements, OMB policy, and\n         applicable NIST guidelines and which identifies users and network devices? Besides the improvement opportunities that have been identified\n         by the OIG, does the program include the following attributes?\n          Yes\n          3.1.1   Documented policies and procedures for account and identity management (NIST SP 800-53: AC-1).\n                  Yes\n          3.1.2   Identifies all users, including Federal employees, contractors, and others who access organization systems (NIST SP 800-53, AC-2).\n                  No\n          3.1.3   Identifies when special access requirements (e.g., multi-factor authentication) are necessary.\n                  Yes\n          3.1.4   If multi-factor authentication is in use, it is linked to the organization\'s PIV program where appropriate (NIST SP 800-53, IA-2).\n                  Yes\n          3.1.5   Organization has planned for implementation of PIV for logical access in accordance with government policies (HSPD 12, FIPS 201,\n                  OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11).\n                  Yes\n          3.1.6   Organization has adequately planned for implementation of PIV for physical access in accordance with government policies (HSPD 12,\n                  FIPS 201, OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11).\n                  Yes\n          3.1.7   Ensures that the users are granted access based on needs and separation-of-duties principles.\n                  Yes\n          3.1.8   Identifies devices with IP addresses that are attached to the network and distinguishes these devices from users (For example: IP\n                  phones, faxes, printers are examples of devices attached to the network that are distinguishable from desktops, laptops or servers that\n                  have user accounts).\n                  Yes\n\n\n\n\nOIG Report - Annual 2013                                                                                                                                    Page 3 of 14\n\x0cSection 3: Identity and Access Management\n          3.1.9    Identifies all user and non-user accounts. (Refers to user accounts that are on a system. Data user accounts are created to pull generic\n                   information from a database or a guest/anonymous account for generic login purposes. They are not associated with a single user or a\n                   specific group of users.)\n                   Yes\n          3.1.10   Ensures that accounts are terminated or deactivated once access is no longer required.\n                   No\n          3.1.11   Identifies and controls use of shared accounts.\n                   Yes\n3.2      Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Identity and Access Management Program that was not\n         noted in the questions above.\n          N/A\n\nSection 4: Incident Response and Reporting\n4.1      Has the organization established an incident response and reporting program that is consistent with FISMA requirements, OMB policy, and\n         applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the\n         following attributes?\n          Yes\n          4.1.1    Documented policies and procedures for detecting, responding to, and reporting incidents (NIST SP 800-53: IR-1).\n                   Yes\n          4.1.2    Comprehensive analysis, validation and documentation of incidents.\n                   Yes\n          4.1.3    When applicable, reports to US-CERT within established timeframes (NIST SP 800-53, 800-61, and OMB M-07-16, M-06-19).\n                   Yes\n          4.1.4    When applicable, reports to law enforcement within established timeframes (NIST SP 800-61).\n                   No\n\n\n\n\nOIG Report - Annual 2013                                                                                                                                      Page 4 of 14\n\x0cSection 4: Incident Response and Reporting\n          4.1.5   Responds to and resolves incidents in a timely manner, as specified in organization policy or standards, to minimize further damage\n                  (NIST SP 800-53, 800-61, and OMB M-07-16, M-06-19).\n                  Yes\n          4.1.6   Is capable of tracking and managing risks in a virtual/cloud environment, if applicable.\n                  Yes\n          4.1.7   Is capable of correlating incidents.\n                  Yes\n          4.1.8   Has sufficient incident monitoring and detection coverage in accordance with government policies (NIST SP 800-53, 800-61; OMB\n                  M-07-16, M-06-19).\n                  Yes\n4.2      Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Incident Management Program that was not noted in the\n         questions above.\n          N/A\n\nSection 5: Risk Management\n5.1      Has the organization established a risk management program that is consistent with FISMA requirements, OMB policy, and applicable NIST\n         guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following\n         attributes?\n          No\n                  Comments:       The OIG issued \xe2\x80\x9cBriefing Report: Improvements Needed in EPA\xe2\x80\x99s Information Security Program,\xe2\x80\x9d Report No.13-P-0257, dated\n                                  May 13, 2013, which documented that EPA\xe2\x80\x99s risk management program\xe2\x80\x99s Risk Executive Group needs to define the core mission\n                                  and business processes for the organization (including any derivative or related mission and business processes carried out by\n                                  subordinate organizations).\n          5.1.1   Documented policies and procedures for risk management, including descriptions of the roles and responsibilities of participants in this\n                  process.\n                  Yes\n\n\n\n\nOIG Report - Annual 2013                                                                                                                                           Page 5 of 14\n\x0cSection 5: Risk Management\n          5.1.2    Addresses risk from an organization perspective with the development of a comprehensive governance structure and organization-wide\n                   risk management strategy as described in NIST SP 800-37, Rev.1.\n                   No\n          5.1.3    Addresses risk from a mission and business process perspective and is guided by the risk decisions from an organizational\n                   perspective, as described in NIST SP 800-37, Rev. 1.\n                   No\n          5.1.4    Addresses risk from an information system perspective and is guided by the risk decisions from an organizational perspective and the\n                   mission and business perspective, as described in NIST SP 800-37, Rev. 1.\n                   No\n          5.1.5    Has an up-to-date system inventory.\n                   No\n          5.1.6    Categorizes information systems in accordance with government policies.\n                   Yes\n          5.1.7    Selects an appropriately tailored set of baseline security controls.\n                   Yes\n          5.1.8    Implements the tailored set of baseline security controls and describes how the controls are employed within the information system\n                   and its environment of operation.\n                   Yes\n          5.1.9    Assesses the security controls using appropriate assessment procedures to determine the extent to which the controls are\n                   implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for\n                   the system.\n                   Yes\n          5.1.10   Authorizes information system operation based on a determination of the risk to organizational operations and assets, individuals,\n                   other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.\n                   Yes\n\n\n\n\nOIG Report - Annual 2013                                                                                                                                       Page 6 of 14\n\x0cSection 5: Risk Management\n          5.1.11   Ensures information security controls are monitored on an ongoing basis including assessing control effectiveness, documenting\n                   changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting\n                   the security state of the system to designated organizational officials.\n                   Yes\n          5.1.12   Information-system-specific risks (tactical), mission/business-specific risks, and organizational-level (strategic) risks are\n                   communicated to appropriate levels of the organization.\n                   Yes\n          5.1.13   Senior officials are briefed on threat activity on a regular basis by appropriate personnel (e.g., CISO).\n                   Yes\n          5.1.14   Prescribes the active involvement of information system owners and common control providers, chief information officers, senior\n                   information security officers, authorizing officials, and other roles as applicable in the ongoing management of information\n                   system-related security risks.\n                   Yes\n          5.1.15   Security authorization package contains system security plan, security assessment report, and POA&M in accordance with\n                   government policies. (NIST SP 800-18, 800-37).\n                   Yes\n          5.1.16   Security authorization package contains accreditation boundaries, defined in accordance with government policies, for organization\n                   information systems.\n                   Yes\n5.2      Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Risk Management Program that was not noted in the\n         questions above.\n          N/A\n\nSection 6: Security Training\n6.1      Has the organization established a security training program that is consistent with FISMA requirements, OMB policy, and applicable NIST\n         guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following\n         attributes?\n          Yes\n\n\n\nOIG Report - Annual 2013                                                                                                                                 Page 7 of 14\n\x0cSection 6: Security Training\n          6.1.1   Documented policies and procedures for security awareness training (NIST SP 800-53: AT-1).\n                  Yes\n          6.1.2   Documented policies and procedures for specialized training for users with significant information security responsibilities.\n                  Yes\n          6.1.3   Security training content based on the organization and roles, as specified in organization policy or standards.\n                  Yes\n          6.1.4   Identification and tracking of the status of security awareness training for all personnel (including employees, contractors, and other\n                  organization users) with access privileges that require security awareness training.\n                  Yes\n          6.1.5   Identification and tracking of the status of specialized training for all personnel (including employees, contractors, and other\n                  organization users) with significant information security responsibilities that require specialized training.\n                  Yes\n          6.1.6   Training material for security awareness training contains appropriate content for the organization (NIST SP 800-50, 800-53).\n                  Yes\n6.2      Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Security Training Program that was not noted in the\n         questions above.\n          N/A\n\nSection 7: Plan Of Action & Milestones (POA&M)\n7.1      Has the organization established a POA&M program that is consistent with FISMA requirements, OMB policy, and applicable NIST\n         guidelines and tracks and monitors known information security weaknesses? Besides the improvement opportunities that may have been\n         identified by the OIG, does the program include the following attributes?\n          Yes\n          7.1.1   Documented policies and procedures for managing IT security weaknesses discovered during security control assessments and that\n                  require remediation.\n                  Yes\n\n\n\n\nOIG Report - Annual 2013                                                                                                                                    Page 8 of 14\n\x0cSection 7: Plan Of Action & Milestones (POA&M)\n          7.1.2   Tracks, prioritizes and remediates weaknesses.\n                  Yes\n          7.1.3   Ensures remediation plans are effective for correcting weaknesses.\n                  No\n          7.1.4   Establishes and adheres to milestone remediation dates.\n                  Yes\n          7.1.5   Ensures resources and ownership are provided for correcting weaknesses.\n                  Yes\n          7.1.6   POA&Ms include security weaknesses discovered during assessments of security controls and that require remediation (do not need\n                  to include security weakness due to a risk-based decision to not implement a security control) (OMB M-04-25).\n                  No\n          7.1.7   Costs associated with remediating weaknesses are identified (NIST SP 800-53, Rev. 3, Control PM-3 and OMB M-04-25).\n                  Yes\n          7.1.8   Program officials report progress on remediation to CIO on a regular basis, at least quarterly, and the CIO centrally tracks, maintains,\n                  and independently reviews/validates the POA&M activities at least quarterly (NIST SP 800-53, Rev. 3, Control CA-5; OMB\n                  M-04-25).\n                  Yes\n7.2      Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s POA&M Program that was not noted in the questions\n         above.\n          The OIG issued "Briefing Report: Improvements Needed in EPA\'s Information Security Program," Report No. 13-P-0257, dated May 13,\n          2013, which documented the EPA does not have POA&M processes that provide assurance that identified weaknesses have been corrected.\n\nSection 8: Remote Access Management\n8.1      Has the organization established a remote access program that is consistent with FISMA requirements, OMB policy, and applicable NIST\n         guidelines? Besides the improvement opportunities that may have been identified by the OIG, does the program include the following\n         attributes?\n          Yes\n\n\n\nOIG Report - Annual 2013                                                                                                                                     Page 9 of 14\n\x0cSection 8: Remote Access Management\n          8.1.1    Documented policies and procedures for authorizing, monitoring, and controlling all methods of remote access (NIST SP 800-53: AC-1,\n                   AC-17).\n                   Yes\n          8.1.2    Protects against unauthorized connections or subversion of authorized connections.\n                   Yes\n          8.1.3    Users are uniquely identified and authenticated for all access (NIST SP 800-46, Section 4.2, Section 5.1).\n                   Yes\n          8.1.4    Telecommuting policy is fully developed (NIST SP 800-46, Section 5.1).\n                   Yes\n          8.1.5    If applicable, multi-factor authentication is required for remote access (NIST SP 800-46, Section 2.2, Section 3.3).\n                   Yes\n          8.1.6    Authentication mechanisms meet NIST Special Publication 800-63 guidance on remote electronic authentication, including strength\n                   mechanisms.\n                   Yes\n          8.1.7    Defines and implements encryption requirements for information transmitted across public networks.\n                   Yes\n          8.1.8    Remote access sessions, in accordance with OMB M-07-16, are timed-out after 30 minutes of inactivity, after which re-authentication\n                   is required.\n                   Yes\n          8.1.9    Lost or stolen devices are disabled and appropriately reported (NIST SP 800-46, Section 4.3, US-CERT Incident Reporting\n                   Guidelines).\n                   Yes\n          8.1.10   Remote access rules of behavior are adequate in accordance with government policies (NIST SP 800-53, PL-4).\n                   Yes\n          8.1.11   Remote access user agreements are adequate in accordance with government policies (NIST SP 800-46, Section 5.1, NIST SP 800-53,\n                   PS-6).\n                   Yes\n\n\nOIG Report - Annual 2013                                                                                                                                 Page 10 of 14\n\x0cSection 8: Remote Access Management\n8.2      Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Remote Access Management that was not noted in the\n         questions above.\n          N/A\n8.3      Does the organization have a policy to detect and remove unauthorized (rogue) connections?\n          Yes\n\nSection 9: Contingency Planning\n9.1      Has the organization established an enterprise-wide business continuity/disaster recovery program that is consistent with FISMA\n         requirements, OMB policy, and applicable NIST guidelines? Besides the improvement opportunities that may have been identified by the\n         OIG, does the program include the following attributes?\n          Yes\n          9.1.1   Documented business continuity and disaster recovery policy providing the authority and guidance necessary to reduce the impact of a\n                  disruptive event or disaster (NIST SP 800-53: CP-1).\n                  Yes\n          9.1.2   The organization has incorporated the results of its system\xe2\x80\x99s Business Impact Analysis (BIA) into the analysis and strategy\n                  development efforts for the organization\xe2\x80\x99s Continuity of Operations Plan (COOP), Business Continuity Plan (BCP), and Disaster\n                  Recovery Plan (DRP) (NIST SP 800-34).\n                  No\n          9.1.3   Development and documentation of division, component, and IT infrastructure recovery strategies, plans and procedures (NIST SP\n                  800-34).\n                  Yes\n          9.1.4   Testing of system specific contingency plans.\n                  Yes\n          9.1.5   The documented BCP and DRP are in place and can be implemented when necessary (FCD1, NIST SP 800-34).\n                  Yes\n          9.1.6   Development of test, training, and exercise (TT&E) programs (FCD1, NIST SP 800-34, NIST SP 800-53).\n                  Yes\n\n\n\nOIG Report - Annual 2013                                                                                                                                 Page 11 of 14\n\x0cSection 9: Contingency Planning\n          9.1.7    Testing or exercising of BCP and DRP to determine effectiveness and to maintain current plans.\n                   Yes\n          9.1.8    After-action report that addresses issues identified during contingency/disaster recovery exercises (FCD1, NIST SP 800-34).\n                   Yes\n          9.1.9    Systems that have alternate processing sites (FCD1, NIST SP 800-34, NIST SP 800-53).\n                   Yes\n          9.1.10   Alternate processing sites are not subject to the same risks as primary sites (FCD1, NIST SP 800-34, NIST SP 800-53).\n                   Yes\n          9.1.11   Backups of information that are performed in a timely manner (FCD1, NIST SP 800-34, NIST SP 800-53).\n                   Yes\n          9.1.12   Contingency planning that considers supply chain threats.\n                   No\n9.2      Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Contingency Planning Program that was not noted in the\n         questions above.\n          N/A\n\nSection 10: Contractor Systems\n10.1     Has the organization established a program to oversee systems operated on its behalf by contractors or other entities, including organization\n         systems and services residing in the cloud external to the organization? Besides the improvement opportunities that may have been identified\n         by the OIG, does the program includes the following attributes?\n          No\n                   Comments:      EPA did not complete an assessment of the security controls for three of the five systems we reviewed.\n          10.1.1   Documented policies and procedures for information security oversight of systems operated on the organization\xe2\x80\x99s behalf by\n                   contractors or other entities, including organization systems and services residing in a public cloud.\n                   Yes\n\n\n\n\nOIG Report - Annual 2013                                                                                                                                 Page 12 of 14\n\x0cSection 10: Contractor Systems\n          10.1.2   The organization obtains sufficient assurance that security controls of such systems and services are effectively implemented and\n                   comply with Federal and organization guidelines (NIST SP 800-53: CA-2).\n                   No\n          10.1.3   A complete inventory of systems operated on the organization\xe2\x80\x99s behalf by contractors or other entities, including organization systems\n                   and services residing in a public cloud.\n                   No\n          10.1.4   The inventory identifies interfaces between these systems and organization-operated systems (NIST SP 800-53: PM-5).\n                   No\n          10.1.5   The organization requires appropriate agreements (e.g., MOUs, Interconnection Security Agreements, contracts, etc.) for interfaces\n                   between these systems and those that it owns and operates.\n                   No\n          10.1.6   The inventory of contractor systems is updated at least annually.\n                   No\n          10.1.7   Systems that are owned or operated by contractors or entities, including organization systems and services residing in a public cloud,\n                   are compliant with FISMA requirements, OMB policy, and applicable NIST guidelines.\n                   No\n10.2     Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Contractor Systems Program that was not noted in the\n         questions above.\n          N/A\n\nSection 11: Security Capital Planning\n11.1     Has the organization established a security capital planning and investment program for information security? Besides the improvement\n         opportunities that may have been identified by the OIG, does the program include the following attributes?\n          Yes\n          11.1.1   Documented policies and procedures to address information security in the capital planning and investment control (CPIC) process.\n                   Yes\n\n\n\n\nOIG Report - Annual 2013                                                                                                                                    Page 13 of 14\n\x0cSection 11: Security Capital Planning\n          11.1.2   Includes information security requirements as part of the capital planning and investment process.\n                   Yes\n          11.1.3   Establishes a discrete line item for information security in organizational programming and documentation (NIST SP 800-53: SA-2).\n                   Yes\n          11.1.4   Employs a business case/Exhibit 300/Exhibit 53 to record the information security resources required (NIST SP 800-53: PM-3).\n                   Yes\n          11.1.5   Ensures that information security resources are available for expenditure as planned.\n                   Yes\n11.2     Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Security Capital Planning Program that was not noted in\n         the questions above.\n          N/A\n\n\n\n\nOIG Report - Annual 2013                                                                                                                                Page 14 of 14\n\x0c                                                                                Appendix A\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nAgency Follow-Up Official (the CFO)\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Information\nDeputy Assistant Administrator for Environmental Information\nDirector, Office of Technology Operations and Planning, Office of Environmental Information\nSenior Agency Information Security Officer, Office of Environmental Information\nDirector, Technology and Information Security Staff, Office of Environmental Information\nAudit Follow-Up Coordinator, Office of Environmental Information\n\x0c'